A New Undetectable CrossRat Malware Targeting Windows,MAC OS & Linux

A wide range of cybercriminals now uses new “undetectable” CrossRat malware that addresses Windows, MacOS, Solaris and Linux systems.

Last week we published a detailed article on the EFF / Lookout report that revealed a new group of advanced persistent threats (APTs), called Dark Caracal, engaged in worldwide mobile espionage campaigns.

Although the report unveils large-scale hacking operations against mobile phones rather than computers, it has uncovered a new CrossRAT malware (version 0.1), which would be developed by, or for, the Dark Caracal group.

According to the researchers, Dark Caracal hackers do not rely on “zero-day exploits” to distribute their malware; Instead, it uses basic social engineering through Facebook group messages and WhatsApp messages, encouraging users to visit fake websites controlled by hackers and download malicious apps.

CrossRAT malware is written in Java programming language, which allows engineers and researchers of reverse engineering to easily decompile it.

Since at the time of writing, only two of the 58 widespread antivirus solutions (according to VirusTotal) are able to detect CrossRAT malware, the former NSA hacker Patrick Wardle decided to analyze the malware and provide a comprehensive technical overview of its mechanism persistence, command and control and its capabilities.

CrossRAT Malware 0.1 – Persistent cross-platform monitoring malware

Once executed on the target system, the system (hmar6.jar) first checks the operating system on which it is running and then installs it accordingly.

In addition, the CrossRAT malware system also attempts to collect information about the infected system, including the version of the installed operating system, kernel construction, and architecture.

In addition, for Linux systems, the malware also attempts to query system files to determine their distribution, such as Arch Linux, Centos, Debian, Kali Linux, Fedora and Linux Mint, among others.

CrossRAT malware then implements specific operating system persistence mechanisms to run automatically each time the infected system is restarted and registered on the C & C server, allowing remote attackers to send commands and requests. exfiltrate the data.

CrossRAT Malware includes an inactive Keylogger module

The malware has been designed with some basic monitoring features, which are activated only when predefined commands are received from the C & C server.

It is interesting to note that Patrick has noticed that the CrossRAT malware has also been programmed to use “jnativehook”, an open source Java library to listen to keyboard and mouse events, but the malware does not have predefined commands to activate this keylogger.

“However, I did not see any code in this system that would refer to the jnativehook package – so, at this point, it seems that this function is not exploited – there might be a good explanation for this – identify its version at 0.1, perhaps indicating that it is still a work in progress and therefore not complete, “said Patrick.

Official Hacker is your news, tips and tricks website. We provide you with the latest hacking news and hacking tutorials straight from the cyber industry.
OUR MOTTO:- Security In a Professional Way.
According To FeedSpot, We Are Awarded As One Of The Top 75 Hacker Blogs Available On The Web. (Securing 45th Position)